Insecurity Found in Google

13 comments

Basic coding requires you validate user input so that events such as Cross Site Scripting do not leave your users (and potentially you) vulnerable to abuse.

RSnake has found a XSS hole in Google, and I have confirmed it is vulnerable on all 140 odd of Google's other country domains.

The question for me isn't why this happened. (Shit happens) But how quickly G will rectify this.

[url=http://www.google.co.uk/ig/feeds?q=http://www.threadwatch.org/node/feed??%3CSCRIPT%3Ealert('OOPS')%3C/SCRIPT%3E&page=advdsrch]OOPS![/url]

Comments

I believe it's either fixed

I believe it's either fixed or the fix is going out. The link that Philipp mentioned at http://blog.outer-court.com/archive/2006-07-06-n81.html already doesn't show the alert now.

I am not a big fan

I am not a big fan of people announcing a security flaw like this. I am happy Google fixed it on short notice.. but something like this should of been handled without it being on google news...

from the RSnake guy...

Quote:
Typically I don’t believe in full disclosure as a release methodology (for instance, if I found a remote vulnerability in Microsoft, I wouldn’t disclose that without giving Microsoft months to release a patch as they have taken their patching process very seriously as of late). However, it takes all but a few days to patch these issues in a website, and Google has not done so, making contacting the vendor a useless excersize to date. The clock is ticking, Google.

So he's addressed the issue (or at least thought about it). Now I wonder if these other identified Google vulnerabilities have also been fixed? There are redirection phishing holes, which exploit the community's trust in the Google.com domain by redirecting to nefarious websites "behind the scenes". RSnake says they are 6 months old, and still live....

http://froogle.google.com/froogle_url?q=http://www.cnn.com
http://www.google.com/url?sa=l&q=http://www.cnn.com/&ai=BsbPer84UQ7D7B73WsAGz6_3bAougzgu3ld23AeualQaA8lcQARgBIPJOKAhIkjlQjrnN4Pj_____AcgBAQ&num=1
http://catalogs.google.com/url?sa=H&title=PC+Connection&subtitle=&q=http://www.cnn.com
http://images.google.com/imgres?imgurl=.&imgrefurl=http://www.cnn.com

I clicked a few and they still worked... they all reportedly harmlessly redirect to CNN as configured here, but could go anywhere while using the www.Google.com domain's reputation and your trust. It was trivial to find plenty of this using... umm...Google.... and even notes from 2+ years ago that such vulnerabilities exist.

Oh, and of course we know that images can be used to transfer viruses these days. So how about using Google to display your own image on the Google search page? Like this threadwatch image? think about all of those complicated google.com/blahblahblah+search=+query= things you click on every day while researching your SEO stuff... do you inspect each one to know exactly what you are actually loading into your browser? Of course you don't. You trust the www.google.com domain. That's the point.

I take my hat off to GOOG

I take my hat off to GOOG for fixing this so quickly. Not because it's a hard thing to fix but because big companies generally move at the speed of dinosaurs in these matters.

Like I said above, shit happens but G have shown that they (in this instance) have the security of their users paramount.

John. I disagree about the redirectors. I agree with a lot of the (very vocal talk) on the FD list that the redirector does what it is designed to do. Although the redirectors can be used that way, that is a side effect of what they are supposed to do and the harm that can be delivered by them is small and almost impossible to stop while still retaining the functionality that they are designed to deliver.

Ahhh and before anyone starts to think this is just a big G security thing, I'd start checking all the other engines and hugely trafficed sites out there. I promise you XSS flaws exist with them too!

Not that easy

I'm torn on the redirect thing. I know the functionality is to redirect, but we have to be practical and today, the targets of those scams do not understand the redirect function. And they do trust the Google brand.

Here's an idea, why doesn't Google put their linkspam-deterring redirector onto something like xgdfdgd.com instead of Google.com? Then an innocent redirect script changes from :

http://froogle.google.com/froogle_url?q=http://www.cnn.com

to

http://xgdfdgd.com/xgdfdgd_url?q=http://www.cnn.com

That works exactly the same, doesn't it? Oh, but it also looks odd, and perhaps untrustworthy? So better to put the www.google.com domain then? Do you see the point?

You can trade on your brand trust, or you can forsake it. We all know where the true interests lie for Google. It is probably best that such redirects look untrustworthy (because they are), but Google will prefer the branding profits over user security and privacy. It's probably considered very small collateral damage, IMHO. One could easily argue that not using Google.com might cause further vulnerability blindness, again to to trust blindness. I don't know.

I didn't intend to take a position in my post above. I intended it to shine more light on the real issue, which is that someone is exploiting the common trust in the Google name, and someone is allowing that exploit, and there is likely a profit motive behind both (as usual). Oh, and I also wanted to address TheFounder's very valid concern about disclosure. It's nicer to see a cracker acknowledge it than ignore it.

ahem ...

GOOGLE PAY?

These are the same people right? Working on the crown jewel of their world. And shit still happened.

*cough*

plumsauce, on the other

plumsauce, on the other hand:
http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_identity_theft.html
The article is about an XSS hole on Paypal 2-3 weeks ago. My personal take is that any website will be scrutinized by crackers, so companies need to be able to respond quickly.

The url redirection bothers me less, but personally I'd like to make it so that only Google can redirect through those urls.

Glad to hear it

Regarding your last sentence: "but personally I'd like to make it so that only Google can redirect through those urls" I'm glad to hear it from the horse's mouth, Matt. Sorry for the trouble I've caused you personally, if any, regarding the XSS/redirector issues. For the time being I'm through going full disclosure, as I told Cory Altheide (Google Incident Response Lead). It just wasn't worth the trouble. However, I cannot speak for the people who frequent my site.

FYI, I'm just spinning up a few SEO projects now, that you'll probably want to know about upon completion - although truth be told, I have very little spare time to play with SEO or security auditing, given that I have an unrelated day job, so it might take some time. Stay tuned.

Trouble? What trouble?

Quote:
It just wasn't worth the trouble.

Can you elaborate RSnake? We'd like to know more about what trouble you may have experienced. For the sake of transparency and all.

Troubles

Ah, sorry John, I thought you had all read my follow up to the original post. Here it is: http://ha.ckers.org/blog/20060706/google-disclosure-fallout/

The url redirection bothers

Quote:
The url redirection bothers me less, but personally I'd like to make it so that only Google can redirect through those urls.

Matt, is that because, without manual adjustment in the ranking algo, and half a dozen links that almost any URL that used it would rock the world?

Got it, thanks.

I see Jason has upped the ante a tiny bit.

Just to close this subject

Just to close this subject out, I think the open url redirection such as
http://www.google.com/url?q=http://www.cnn.com/
has been closed; now we show an interstitial page that requires an active click.

John Andrews, a couple of the examples you mentioned don't work any more, but I'll ask about the other couple. To the extent that open url redirection was being used by phishers, closing the most-used url should make a difference.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.